02583nas a2200241 4500008004100000022001400041245010600055210006900161260004200230300001000272490000600282520183100288653002202119653001802141653002502159653002702184653001802211100001602229700002302245700001702268700001902285856003702304 2017 eng d a1927-032100aCombining Exploratory Analysis and Automated Analysis for Anomaly Detection in Real-Time Data Streams0 aCombining Exploratory Analysis and Automated Analysis for Anomal aOttawabTalent First Networkc04/2017 a25-310 v73 aSecurity analysts can become overwhelmed with monitoring real-time security information that is important to help them defend their network. They also tend to focus on a limited portion of the alerts, and therefore risk missing important events and links between them. At the heart of the problem is the system that analysts use to detect, explore, and respond to cyber-attacks. Developers of security analysis systems face the challenge of developing a system that can present different sources of information at multiple levels of abstraction, while also creating a system that is intuitive to use. In this article, we examine the complementary nature of exploratory analysis and automated analysis by testing the development of a system that monitors real-time Border Gateway Protocol (BGP) traffic for anomalies that might indicate security threats. BGP is an essential component for supporting the infrastructure of the Internet; however, it is also highly vulnerable and can be hijacked by attackers to propagate spam or launch denial-of-service attacks. Some of the attack scenarios on the BGP infrastructure can be quite elaborate, and it is difficult, if not impossible, to fully automate the detection of such attacks. This article makes two contributions: i) it describes a prototype platform for computing indicators and threat alerts in real time and for visualizing the context of an alert, and ii) it discusses the interaction of exploratory analysis (visualization) and automated analysis. This article is relevant to students, security researchers, and developers who are interested in the development or use of real-time security monitoring systems. They will gain insights into the complementary aspects of automated analysis and exploratory analysis through the development of a real-time streaming system.10aanomaly detection10acybersecurity10aexploratory analysis10areal-time data streams10avisualization1 aShah, Ahmed1 aAbualhaol, Ibrahim1 aGad, Mahmoud1 aWeiss, Michael uhttp://timreview.ca/article/106801553nas a2200253 4500008004100000022001400041245007600055210006900131260004200200300001000242490000600252520085100258653001101109653001401120653001501134653001801149653001201167653001001179653002401189653001401213100001901227700001701246856003601263 2016 eng d a1927-032100aExamining the Modes Malware Suppliers Use to Provide Goods and Services0 aExamining the Modes Malware Suppliers Use to Provide Goods and S aOttawabTalent First Networkc02/2016 a21-270 v63 aMalware suppliers use various modes to provide goods and services to customers. By mode, we mean “the way” the malware supplier chooses to function. These modes increase monetization opportunities and enable many security breaches worldwide. A theoretically sound framework that can be used to examine the various modes that malware suppliers use to produce and sell malware is needed. We apply a general model specified recently by Hagiu and Wright to study five modes that malware suppliers use to deliver goods and services to their customers. The framework presented in this article can be used to predict the mode in which a malware supplier will function; to study which types of malware suppliers, agents, and customers are attracted to each mode; to discover new modes; and to better understand the threat a malware supplier presents.10aagents10acustomers10acybercrime10acybersecurity10amalware10amodes10amultisided platform10asuppliers1 aBailetti, Tony1 aGad, Mahmoud uhttp://timreview.ca/article/96501883nas a2200313 4500008004100000022001400041245006200055210006100117260004200178300001000220490000600230520100200236653002501238653001501263653001801278653001501296653002401311653002301335653002401358653002101382653002301403653001501426653001301441653002701454100001901481700001701500700001601517856003601533 2016 eng d a1927-032100aIntrusion Learning: An Overview of an Emergent Discipline0 aIntrusion Learning An Overview of an Emergent Discipline aOttawabTalent First Networkc02/2016 a15-200 v63 aThe purpose of this article is to provide a definition of intrusion learning, identify its distinctive aspects, and provide recommendations for advancing intrusion learning as a practice domain. The authors define intrusion learning as the collection of online network algorithms that learn from and monitor streaming network data resulting in effective intrusion-detection methods for enabling the security and resiliency of enterprise systems. The network algorithms build on advances in cyber-defensive and cyber-offensive capabilities. Intrusion learning is an emerging domain that draws from machine learning, intrusion detection, and streaming network data. Intrusion learning offers to significantly enhance enterprise security and resiliency through augmented perimeter defense and may mitigate increasing threats facing enterprise perimeter protection. The article will be of interest to researchers, sponsors, and entrepreneurs interested in enhancing enterprise security and resiliency.10aadversarial learning10aclustering10acybersecurity10aenterprise10aintrusion detection10aintrusion learning10alearning algorithms10amachine learning10areal-time analysis10aresiliency10asecurity10astreaming network data1 aBailetti, Tony1 aGad, Mahmoud1 aShah, Ahmed uhttp://timreview.ca/article/96401534nas a2200217 4500008004100000022001400041245006300055210006300118260004200181300001000223490000600233520091900239653001401158653001201172653002701184653001501211653001301226653002401239100001701263856003601280 2014 eng d a1927-032100aCrimeware Marketplaces and Their Facilitating Technologies0 aCrimeware Marketplaces and Their Facilitating Technologies aOttawabTalent First Networkc11/2014 a28-330 v43 aThe cybercrime community has evolved from one in which criminals develop their own tools into one in which crimeware – tools and services to carry out or facilitate illegal online activity – can be readily bought, sold, traded, hired, or licensed in online marketplaces. Crimeware marketplaces are expected to grow significantly in the near term, and they will offer an increasing number of services and tools that target mobile computing devices. This article examines the actors, value chains, and modes of operation in underground crimeware marketplaces, and it identifies three facilitating technologies that are likely to significantly expand the reach of cybercriminals. Anonymous e-currency (e.g., Bitcoin) enables anonymous financial transactions; anonymity networks (e.g., Tor) enable anonymous Internet access; and mobile computing provides access to a very large number of potential target devices. 10aanonymity10aBitcoin10acrimeware marketplaces10acybercrime10adark web10aunderground economy1 aGad, Mahmoud uhttp://timreview.ca/article/847